Policy and Basic Concept
The ITOCHU Group is exposed to various risks due to its wide range of business natures, such as market, credit, and investment risks. These risks include unpredictable uncertainties and may have significant effects on the Group's future financial position and business performance.
We acknowledge risk management as a key management issue. Therefore, we have established our basic risk management policy and develop necessary risk management systems and techniques based on the concept of the COSO-ERM framework. Specifically, we have defined the following 18 risks as major risks* and are responding to them by building information management and monitoring systems at each department responsible for managing these risks on a consolidated basis. In addition, we periodically review the effectiveness of management systems through our internal committees. Moreover in accordance with the medium-term management plan, we conduct risk assessments across the company to reevaluate the risks we are currently aware of and identify risks comprehensively.
- Compliance Risks
- Legal Risks (Excluding Compliance Risks)
- Risks Associated with Trade Security Policy Management
- Risks Associated with Customs
- Country Risks
- Commodity Price Risks (Specific, Important Product)
- Credit Risks
- Investment Risks
- Stock Price Risks
- Foreign Exchange Rate Risks
- Interest Rate Risks
- Financing Risks
- Information System Risks
- Information Security Risks
- Labor Management Risks
- Human Resources Risks
- Risks Associated with the Appropriateness of Financial Reporting
- Risks Associated with Internal Control
Structures and Systems
We established the Principal Internal Committee (Internal Control Committee, Disclosure Committee, ALM Committee, Compliance Committee, Sustainability Committee, Investment Consultative Committee) as the subordinate organization of HMC and has established and maintained a system to report and discuss individual projects and internal systems related to risks in various fields.
Along with strategic business alliances, business investment is an important means of creating new businesses. Based on our strategic goals, we choose the optimal format from a range of methods, such as establishing a wholly owned subsidiary, implementing joint investment with partners, and participating in management through M&As. In principle, we hold assets with a goal of long-term investment. After making each investment, we work to maximize our corporate value and to expand trade and dividends received through the full utilization of our Groupwide capabilities. With larger-scale investments and increases in acquisition prices in recent years, we are rigorously screening the appropriateness of the business plan and acquisition price when we invest. For existing investments, to increase investment earnings and to exit quickly from low-efficiency assets, we are further strengthening monitoring procedures, centered on instituting more rigorous exit criteria and thoroughly implementing periodic investment review.
Decision-Making Process for New Investments
A multilayered decision-making process that achieves quick decision-making by giving a certain level of discretion to the Division Companies while striving to pursue investment return and curb investment risk.
Business Investment Process
Under "Brand-new Deal 2017," we achieved a 90% and higher share of Group companies reporting profits for the first time through a revision of exit standards and by upgrading business investment management. Through "Brand-new Deal 2020," we plan to build a strong earnings base with high risk tolerance and further improve the share of Group companies reporting profits by moving forward with our existing investment process, thoroughly inspecting the appropriateness of business plans, and conducting prioritized monitoring of sub-subsidiaries.
Risk Capital Management
Risk Assets and Risk Buffer
We introduced Risk Capital Management in FYE 2000, when we were carrying large amounts of interest-bearing debt and inefficient assets, making far-reaching management reforms a matter of urgency. Since then, we have pressed forward with that spirit and understand risk quantitatively, and conduct control continuously and rigorously even now that our financial position has improved. Specifically, our basic operational policy involves first calculating risk assets based on the maximum amount of possible future losses from all assets on the balance sheet including investments and all off-balance-sheet transactions. Second, we manage the quantity of risk assets within the limits of our risk buffer (consolidated shareholders' equity + non-controlling interests). As we promote investment in new and next-generation technologies moving forward, we will work to maintain risk assets within the limits of our risk buffer, conduct strict risk management, and further strengthen our financial position.
Country Risk Management
The ITOCHU Group is actively expanding its business in countries and regions overseas and is therefore exposed to various country risks that arise as a result of political, economic, or societal circumstances in those countries and regions. Managing country risk is extremely important because negative factors, such as delay or inhibition of debt collection or operational implementation, can occur all at once and cause large losses.
To respond to these risks, we formulate appropriate risk countermeasures for each individual project and evaluate and analyze risk tolerance. We also establish Groupwide country risk management regulations from the standpoint of preventing excessive concentration of risk in specific countries or regions. Additionally, we work toward risk management by setting limits for each country that are based on internal country rating standards and maintain overall exposure at a level that is appropriate for the Group's financial strength.
Furthermore, we assign exposure limits to countries independent of deliberation processes concerning individual projects and conduct strict country risk management through measures such as not allowing related projects to proceed when country limits have not been assigned.
Additionally, we proactively work to reduce risk by formulating credit policies appropriate for each country according to need and stationing country risk management officials at each Division Company who collaborate with headquarters and manage risk for those Companies.
Security Risk Management
In the past, our computers were infected with malware (malicious software), resulting in an external leak of client information. We have since focused on countermeasures aimed at preventing this from reoccurring. We have strengthened these preventative countermeasures by expanding security infrastructure for monitoring and defense, drastically revising the structure of our cybersecurity countermeasures team (ITCCERT: ITOCHU Computer Emergency Readiness, Response & Recovery Team), and hiring expert advanced cybersecurity analysts.
We routinely collect the latest information regarding threats through analysis of system logs and malware and conduct preventative measures. Additionally, when accidents (incidents) do occur, we respond instantly by investigating their causes, discussing possible countermeasures, and restoring services. In FYE 2018, we established an exclusive space for ITCCERT within our IT Planning Division and are working to strengthen security countermeasures across the entire Group and develop security countermeasure personnel. We also dispatch analysts to Chiba University under cross-appointment contracts (mixed-wage systems) in an effort to train and develop the cybersecurity countermeasure technicians that society needs. There are few examples of user companies in Japan that are working as actively as we are to develop systems and respond to information security risk. We plan to proceed with initiatives supporting sustained growth moving forward.
We periodically tackle the efforts below to maintain and improve the information management structure for information security education.
- We give training to all employees on measures against targeted e-mail attacks, a type of cyber-attack, twice a year.
- We simultaneously hold information security courses through e-learning with all employees and group companies in Japan and overseas every three years.
- We hold information security workshops and lectures for our group companies with ITCCERT serving as the lecturer several times a year.